Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Glitch Connects Users To Wrong Accounts

Posted by Soulskill on from the reach-out-and-touch-some-one-at-random dept.

CAE guy writes "The Boston Globe is carrying an AP report which begins: 'A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information. The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.' Who needs to worry about man-in-the-middle attacks when your service provider will hijack your session for you?"

3 of 138 comments (clear)

  1. Caching by nOw2 · · Score: 5, Interesting

    I can't say for AT&T or Facebook what happened in this case, but I have seen similar things happening with poor-quality web caching proxies.

    I am specifically talking of the horror that is Microsoft's ISA server.

    At a previous job at an office powered by an MSDN subscription, there were cases where users would open websites for the first time and find themselves immediately logged in as someone who had already used and logged into that site on a nearby LAN computer.

  2. Hardly new in end effect... by shoppa · · Score: 4, Interesting

    The article says:

    Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else.

    But I, as a just random user of some commercial (read: mail-order, telephone company, etc.) websites have several times over the years requested information about my account and orders - and seen instead somebody else's information. In these cases the cause seems to have been non-unique cookies although that is purely a guess, maybe indeed there was some hijacking going on at the network level.

    Some of these websites were supposedly "https" but some inspection of HTML source revealed this was just the frame, the actual information was frequently in non-secure inner frames. Poked around a tiny little bit and found that by altering the URL's in those frames I could see arbitrary customer's account info.

    I didn't have the courage to tell anyone - after all, accessing somebody else's account information is a federal crime.

  3. Re:This makes no sense... by Ungrounded+Lightning · · Score: 3, Interesting

    How in the World can this be AT&T's fault ...

    1) Alice and Bob are both logging in to facebook. They send the last message of the login at nearly the same time.
    2) Facebook
    3) AT&T gives Alice's cookie to Bob. (Several ways to do this.)
    4) Because Bob's browser was expecting the reply with the cookie from Facebook it accepts it and continues with the login step. Except for having the wrong cookie everything is as it should be.
    5) Bob's transactions are marked with Alice's cookie until he logs out, logs in again, or the session expires. He's logged in as Alice.

    If you read the fine article, one of the examples is exactly that. In step 3) "Bob" and "Alice" had their replies-with-cookie swapped so they each ended logged in as the other.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way